Who needs a CISO anyway?

New research from cloud services provider Navisite finds that 45 percent of companies do not employ a Chief Information Security Officer (CISO). However, of this group 58 percent think they should have one.

Only 40 percent of respondents say their cybersecurity strategy was developed by a CISO or member of the security team, with 60 percent relying on other parts of their organization, including IT, executive leadership and compliance.

The findings are based on a poll of 130 security, IT and compliance professionals in the US, with more than 60 percent working in companies with between 100 and 5,000 staff. A worrying 21 percent of respondents admit their company does not have a dedicated person or people whose sole responsibility is security/cybersecurity.

Although 80 percent of respondents feel their company exhibited strong cybersecurity leadership during the COVID-19 pandemic, 75 percent say their company experienced an increase in overall cybersecurity threat volume in the last year.

Not having a CISO does affect how people feel about security. 70 percent of respondents express confidence in the effectiveness of their cybersecurity program, but that drops to 58 percent for companies without a CISO. Nearly half (47 percent) of respondents believe their company doesn't spends enough on cybersecurity.

"The survey results support what we're seeing across the board: organizations prioritized their security efforts during COVID, but at the same time, they’re acutely aware of how much more they need to do to effectively defend against cyber threats," says Aaron Boissonnault, Navisite CISO. "The data also points to an ongoing problem in the industry: a cybersecurity skills shortage that extends to the highest levels. Companies value and want cybersecurity leadership, but it is increasingly difficult to find and retain these individuals."

The full report is available from Navisite.

Photo credit: Den Rise / Shutterstock